Professional Documents
Culture Documents
Traits of Highly Successful Security Organizations: Executive Insights
Traits of Highly Successful Security Organizations: Executive Insights
insights
Not only are we accountable for being preemptive and vigilant against
security threats and safeguarding business networks, we’re now rapidly The three key traits of highly successful
evolving to become stewards of our organization’s brand, strengthening
its reputation while also building board credibility and customer trust. security organizations:
In my more than 12 years as CISO of Amazon Web Services, partnering
with numerous AWS customers in their cloud and security journeys, 1 They are forward-leaning with audit and legal.
I’ve come to recognize some standout organizations that are taking on
this transformation remarkably well. I’ve also been able to see firsthand
how they’re doing it.
2 They leverage automation.
What do we mean by successful security organizations? These are
companies that are improving their risk posture at a more efficient rate
than others, while, at the same time, optimizing their use of cloud to
create new forms of business value at a faster pace. 3 They practice agile decision making.
TRAIT #1
customer-specific controls.
They leverage
automation
With so much changing all the time, security must
work hard to keep up with the evolution of software
engineering practices. In highly successful security
organizations, terms like “automation,” “backlog,”
“CI/CD,” and “Agile” are becoming commonplace in the
security lexicon. In fact, Agile, DevOps, and CI/CD are
fundamental practices for most security professionals.
executive
insights
Security as code
The most successful security leaders and organizations Automatically create tickets and escalate alerts to
understand that security is not something to be bolted ensure consistent and timely action.
on after building something—it should be deeply
integrated with the development process itself. If done Generate IAM policies automatically to help reduce
well, it accelerates development and aligns security the risk of human error.
practices with the realities of the development lifecycle.
Automate and centralize log management.
Customers who have embraced cloud adoption have
Leverage services and code to automate your threat
automated their security operations tasks as code in
detection and response capabilities.
addition to the software they’re developing. A great
example of this is the practice of pushing out firewall
Committing code to a repository and having it go through a
rule changes. It’s not about logging into a device
pipeline for deployment means that no access to production
anymore; it’s about leveraging software as code to
systems is needed, which measurably reduces security
enable a continuous build system to test those changes
risks. Also, every action is logged—from the developer
and push them out in near real time.
committing the code, to the manager doing the approval,
Automating security tasks can change how an entire to the build systems releasing the code to production—
security team operates. Here are some examples of there is a record of every action that was taken.
ways to automate security functions:
More successful CISOs are collaborating with their engineering teams to build guardrails instead of gates, which
allows their dev teams and business units to take more accountability and responsibility for security. It‘s not about
giving up control; it‘s about encouraging other teams to be owners so they feel invested.
At AWS, for example, if service teams have a question about security, or if something isn‘t going right in the software
testing process, the security team is available to provide guidance and partner with the service organization. But the
onus is on the service owner to bring the issue to resolution.
executive
insights
Continuous improvement
The leading security organizations make continuous improvement a
priority by continually collecting feedback and creating a closed loop
to drive improvement based on that information. This is true whether
it’s immediate feedback to a developer writing code or feedback to the
application security engineer on the effectiveness of their engagement.
Over time, we’ve evolved the ways in which we use feedback loops
within AWS security, and have observed many leading security
organizations operationalizing best practices, such as:
For instance, cryptography is complex, and it’s not scalable to hire cryptographers
for every team. Therefore, when someone in the organization wants to make a Here are some of the characteristics our
change to cryptographic code, we make sure the person requesting the changes customers tell us they look for when building
has the right training. And we maintain a set of peer reviewers with exceptional best-in-class security teams:
crypto capabilities, who can ensure the change is implemented correctly. Deep understanding of our services
and internal systems
Another mechanism we employ a lot at AWS is what we call “How’s my driving?”
surveys. The idea is very similar to how we follow up on customer service experiences Offers actionable solutions to service team’s
on Amazon.com—essentially asking, “Did we solve your problem, yes or no?” Our security questions
teams take this same approach with our internal customers when we conduct our
Innovates with our service teams and
AppSec reviews. Any “okay” or “poor” responses prompt a conversation during our
contributes to their roadmap
AppSec weekly business review. What went wrong? How will we improve it? Viewing
your internal business partners as your customer, and working backwards from their Relentlessly curious
requirements, is what enables us to deliver application security at scale. Penchant for automation
Encourage escalation
Something doesn’t look or feel right. There’s a question or in order to make faster—and still well-informed—decisions.
confusion about something. The message from the most If there is someone between a leader and an expert,
successful security organizations comes in two words: you stand to lose clarity or dilute the problem, and you
“Escalate early.” Anyone who’s used a compass knows that it’s can bet that senior leadership will have questions that
much easier to course correct earlier on in the journey. require exact answers. At the end of the day, everyone
It’s better to get together with the right data and decision who owns a product should feel accountable. Deep
makers than to be paralyzed by analysis. What we’ve learned understanding comes from having a deep sense of
at AWS is that the magic amount of necessary information liability and ownership, and leads to quickly identifying
for good decision making is around 80 percent. If you try to root causes when things go wrong.
wait until you have all of the data, it will already be too late.
We’ve seen some security organizations encourage
And that style of hesitation is particularly unsuited for the
“escalation buddies.” When a key practitioner goes on
speedy world of security.
vacation or gets sick, the buddy is there and up to speed
Also, key information surrounding an escalation is best should something go wrong, is experienced in the space,
served unfiltered. Deferring to expertise rather than and is empowered to escalate at the right time.
authority and hierarchy gets everyone the data they need
executive
insights
CONCLUSION
As we’ve seen, while there’s no specific formula, there It’s true that many companies are proficient in one or
are recurring traits that make some security organizations two of these areas. The secret of the most successful
particularly successful: security organizations is that they recognize they
must maintain all three of these standards. They also
1) They work closely—and proactively—with legal and recognize that these standards are not standalone—
compliance professionals, audit partners, and regulators. they must be operating in unison in order to achieve
the highest levels of success.
2) They are deliberate in keeping up with the increasingly
rapid evolution of software engineering practices.
AWS Well-Architected
A framework for achieving operational excellence,
security, reliability, performance efficiency, and cost
optimization with AWS.
Stephen E. Schmidt, Vice President & Chief Information Security Officer, Amazon Web Services
@stephenschmidt
Stephen Schmidt’s duties at AWS include leading product design, management, and engineering
development efforts focused on bringing the competitive, economic, and security benefits of cloud
computing to business and government customers.
Prior to joining AWS, Stephen had an extensive career at the Federal Bureau of Investigation, where he
served as a senior executive. His responsibilities at the FBI included a term as Acting Chief Technology
Officer, Section Chief, responsible for the FBI’s technical collection and analysis platforms, and as a
Section Chief overseeing the FBI’s Cyber Division components responsible for the technical analysis of
computer and network intrusion activities. His Cyber Division oversight included areas of malicious code
analysis, computer exploitation tool reverse-engineering, and technical analysis of computer intrusions.